MRC Advocacy: Voice of the Merchant



Advocacy is of tremendous importance to MRC merchant members as the payments industry becomes more regulated than ever before. The MRC's advocacy work is focused on several key areas, one of them being a strong collaboration with the card networks, enabling us to get advanced notifications about new mandates and providing the merchant voice regarding changes before they come into effect.


MRC Advocacy -- Card Networks

MRC Advocacy -- SCA/EMV 3DS
The MRC has established relationships with each of the major card networks, Visa, Mastercard, American Express, and Discover. We are advocating for the voice of the merchant to be heard before rule changes are enacted, raising visibility on challenges merchants face today, and collaboratively working towards solutions.
Regulation calls for SCA requirements to be in place. Implementation is being enforced beginning December 31, 2020. The MRC has advocated EU Regulators (18) to move the enforcement date, by country, based on reports of industry readiness, or lack thereof. Our merchant community, lead by Microsoft and Amazon, have published SCA readiness dashboards by country. Through this initiative, we created a deadline dashboard by country and a Slack channel for merchants and issuers to discuss challenges.

Find out more

MRC Advocacy -- Friendly Fraud/First Party Misuse

MRC Advocacy -- Cybercrime
The MRC is working to address First Party Misuse or Hostile Friendly Fraud. This problem represents up to 80% of all fraud for many of our merchant members and the current economics in the ecosystem do not support a solution. Working with our related Committee, the MRC has defined the problem, reviewed compelling evidence required to address it, and we are now building a strategy to visit with standards bodies to advocate for change.
The MRC applied for a portion of the EU Commission Internal Security Fund and was awarded €500K for a public-private partnership project so that MRC merchant members and Law Enforcement agencies would have a platform to work together against cybercrime. MRC also partners with the IC3 (Internet Crime Complaint Center) and has a Memorandum of understanding in place with Europol.


SCA/EMV 3DS

The MRC is working with merchants and issuers to ensure upcoming regulation enforcement does not have a negative impact on the industry. On September 14, 2019, new requirements for authenticating online retail payments were introduced in Europe as part of the Payments Services Directive update (PSD2). The industry was proven not to be ready at that time, so the European Banking Authority (EBA) facilitated an extension to the implementation deadline of the regulation, to December 31, 2020. The MRC shares the goal of a robust implementation of Strong Customer Authentication (SCA); however, our merchant members have shown us in recent months that the ecosystem is not yet ready for the regulation to be implemented.

Microsoft's SCA Scorecard is available on LinkedIn: https://www.linkedin.com/posts/deanjordaan_microsoft-sca-scorecard-september-2020-activity-6719683094875639808-BwEY/

For more information on how Microsoft built their scorecard, see the following articles on LinkedIn Pulse:

Scorecards from Amazon and Google are available by clicking the button below.

Download Scorecards

The MRC has called on the EBA and the European Commission to use their influence to encourage all NCAs (National Conduct Authorities) to adopt a flexible approach to the implementation of SCA and give industry scope beyond the December 31 deadline. The MRC also wrote to 18 NCAs directly to suggest the deadline for the operational application of SCA should be pushed out by at least 6 months.

Click here to view the MRC's correspondence with the European Commission, European Banking Authority, the Commission's responses, and a joint letter from the European Payment Institutions Federation signed by MRC, Visa, Mastercard, the European Hotel Forum, and many more.

The MRC has also engaged consumer associations in Europe to ensure they are fully informed on the impact on consumers from January 1 when card issuers are forced to decline transactions that do not appear to be SCA compliant. In some countries, the reports are showing this figure could be up to 50% of transactions.

The MRC has produced a Country SCA deadline dashboard to note the enforcement deadlines for European countries. See it here.

Other merchant scorecards are available to Regulators and Card Issuers. Contact us for access to these.

The MRC heard from card issuers and merchants that it is extremely hard to test for and debug problems highlighted when processing SCA-ready transactions, so we established a Slack channel where the community is working together to solve issues. If you wish to join the Slack channel (open to merchants and card issuers), contact slack3ds@merchantriskcouncil.org.

To sign up for testing with Visa, email Visa at gct3dssupp@visa.com. To sign up for the Mastercard test platform, visit https://3dss.netcetera.com/mastercard-psd2-testing/.


Who makes the regulation in Europe and who implements it?

The European Commission produced the regulation (PSD2). The regulation specifically relating to SCA has been enforceable since September 14, 2019. In effect, all regulated bodies (banks, credit institutions, etc.) should be compliant since that date. However, on that date, nothing really changed.

The EBA -- European Banking Authority -- are the enforcers of the regulation in the EU (European Union). They enforce the NCAs -- the national competent / conduct authorities, normally the Central Banks of each nation -- to ensure compliance in each nation. It was the EBA, in September 2019, that allowed the NCAs time before which they had to enforce the regulation in each nation. This flexibility is to the end of 2020.

The Commission and the EBA have noted all parties have been aware of the regulation since 2017. They are currently not willing to extend the deadline for enforcement for that reason. The FCA was able to make an early decision most likely because of Brexit, i.e. they have left the EU and as such are not required to comply with EU regulation, in theory. That said, the UK will wish to remain competitive, so they aim to comply but have allowed another 9 months for their regulated bodies (issuers and acquirers) to comply with the regulation.

While each NCA can make its own decision on delaying the date, they are required to enforce the regulation under the EBA. To date, some NCAs have decided to move their dates (see the MRC SCA deadline chart for more information).